Skip to main content

Main Area


Biggest data breaches of the last 20 years

  • Biggest data breaches of the last 20 years
    1/ Blogtrepreneur // Flickr

    Biggest data breaches of the last 20 years

    In 2017, the Identity Theft Resource Center released its annual Data Breach Year-End Review. The report tallied 1,579 data breaches in 2017 alone, representing a shocking 44.7% increase over 2016—and 2016's numbers were a record high at the time.

    The servers, databases, and networks maintained by businesses, banks, governmental entities, health care organizations, and even educational institutions are juicy targets for online criminals. Within those digital warehouses lies the personal data of millions and even billions of people, whose birthdays, passwords, Social Security numbers, and login credentials can be used to steal their identities, hack into their accounts, and take out loans in their names.

    The last two decades have witnessed a shocking rash of successful attacks on what many people previously believed were impenetrable security networks. The worst of them netted their masterminds vast stores of personal and financial data belonging to regular customers and account holders, many of whom wouldn't find out for years that their data had been compromised.

    Here's a look at the worst data breaches of the last 20 years.

  • #20. Uber
    2/ Sandeepnewstyle // Wikimedia Commons

    #20. Uber

    Year: 2017

    Records obtained: 57,000,000

    Organization type: Transportation

    Data breach method: Hacked

    By any measurable standard, Uber had an abysmal 2017. Among the rideshare company's biggest scandals that year was the revelation that in 2016, two hackers breached the company's databases and stole phone numbers, email addresses, and other private data belonging to 57 million Uber customers as well as 600,000 drivers license numbers belonging to the company's drivers. Uber’s decision-makers made a bad thing worse by failing to alert law enforcement, which is required by law, hiding the breach from the public for the better part of a year—including the names of the hackers' victims—and, perhaps worst of all, by paying the hackers a $100,000 bounty to delete the data: a move that was universally denounced by security experts.


  • #19. Tumblr
    3/ Marco Arment // Wikimedia Commons

    #19. Tumblr

    Year: 2013

    Records obtained: 65,469,298

    Organization type: Web

    Data breach method: Hacked

    In 2013, hackers stole personal and password information belonging to 65 million Tumblr users. The company, which at the time had not yet been purchased by Yahoo, didn't disclose the infiltration until 2016, when online sleuths found the information for sale on the so-called “dark web.”  


  • #18. Target Corporation
    4/ Kelly Martin // Wikimedia Commons

    #18. Target Corporation

    Year: 2014

    Records obtained: 70,000,000

    Organization type: Retail

    Data breach method: Hacked

    Since the data was stolen between Nov. 27 and Dec. 15, some publications referred to the 2014 Target data breach as "the nightmare before Christmas." The retailer originally said that credit and debit card information—including card numbers, expiration dates and CVV numbers—for as many as 40 million customers could have been stolen by hackers starting on Black Friday weekend. The retail giant later revealed that number was actually closer to 70 million, and that the breach also included email addresses, mailing addresses, and phone numbers.


  • #17. National Archives and Records Administration (U.S. military veterans' records)
    5/ US Air Force // Wikimedia Commons

    #17. National Archives and Records Administration (U.S. military veterans' records)

    Year: 2009

    Records obtained: 76,000,000

    Organization type: Military

    Data breach method: Lost or stolen media

    In 2010, the National Archives and Records Administration revealed that in March 2009, a two-terabyte external hard drive went missing from a processing room at a facility in College Park, Maryland. The drive contained personal information including the names and Social Security numbers of former Clinton administration staff and White House visitors.


  • #16. JPMorgan Chase
    6/ Joe Mabel // Wikicommons

    #16. JPMorgan Chase

    Year: 2014

    Records obtained: 76,000,000

    Organization type: Financial

    Data breach method: Hacked

    According to a New York Times report, the 2014 JPMorgan Chase computer breach, history's largest bank hack at that time, could have been prevented with a simple security fix. Hackers gained entry into the financial giant's vast computer network by accessing an employee's login credentials and targeting the bank's weak link: a single server that the Chase security team neglected to protect with basic dual-factor authentication.


  • #15. Sony PlayStation Network
    7/ Tokumeigakarinoaoshima // Wikimedia Commons

    #15. Sony PlayStation Network

    Year: 2011

    Records obtained: 77,000,000

    Organization type: Gaming

    Data breach method: Hacked

    In 2011, gamers across the world wondered why they had been locked out of the PlayStation Network. While the lack of access was frustrating, the reason why was even more daunting. Between April 17 and 19, an unauthorized person hacked into the Sony system and stole a wealth of personal data—including birthdays, security questions, passwords, and login credentials—in one of history's biggest infiltrations into a cache of credit card data.


  • #14. Anthem Inc.
    8/ Ivan2010 // Wikimedia Commons

    #14. Anthem Inc.

    Year: 2015

    Records obtained: 80,000,000

    Organization type: Health care

    Data breach method: Hacked

    In 2015, the second-largest health insurance company in America was the target of a massive data breach. Anthem Inc.'s CEO was among the 80 million victims whose data—including names, Social Security numbers, home addresses, birthdays, email addresses, and medical IDs—was stolen by hackers. In 2017, the company settled a class-action lawsuit in the wake of the hack.


  • #13. AOL
    9/ CoolCaesar // Wikimedia Commons

    #13. AOL

    Year: 2004

    Records obtained: 92,000,000

    Organization type: Web

    Data breach method: Hacked/inside job

    In 2004, a 24-year-old America Online software engineer was arrested by federal authorities for hacking into the company's computers to steal 92 million email addresses. He sold the data for $100,000 to an online gambling business owner in Las Vegas, who then relentlessly spammed those email addresses.


  • #12. MyHeritage
    10/ MyHeritage // Wikimedia Commons

    #12. MyHeritage

    Year: 2018

    Records obtained: 92,283,889

    Organization type: Genealogy

    Data breach method: Unknown

    In 2018, Israel-based DNA and genealogy company MyHeritage revealed that in October of the previous year, hackers had broken into the company's computers and stolen a massive file containing more than 92 million email addresses and passwords. Although the passwords were "hashed," which is a security measure that renders them useless if inappropriately accessed, the attack forced industry experts to take a second look at the preparedness of the DNA and genealogy industry.

  • #11. TK / TJ Maxx
    11/ Dwight Burdette // Wikimedia Commons

    #11. TK / TJ Maxx

    Year: 2007

    Records obtained: 94,000,000

    Organization type: Retail

    Data breach method: Hacked

    When hackers stole data from tens of millions of TJ Maxx and Marshall's customers in 2007, it was believed to be the biggest attack of its kind at that time—and that's when officials still thought there were only 45.7 million victims. It would soon come out that more than twice that number of accounts were compromised. The hackers easily bypassed the company's wired equivalent privacy (WEP) LAN security, which is notoriously weak.


  • #10.
    12/ Perzon Seo // Flickr


    Year: 2012

    Records obtained: 98,167,935

    Organization type: Web

    Data breach method: Hacked is a web portal that was informally known as "the Yahoo of Russia." When hackers stole nearly 100 million user logins in February 2012, the site's customers faced an especially grave threat of identity theft. The site had not even taken the basic step of encrypting their passwords.


  • #9. Heartland
    13/ Nic Mcphee // Flickr

    #9. Heartland

    Year: 2009

    Records obtained: 130,000,000

    Organization type: Financial

    Data breach method: Hacked

    In 2009, a skilled hacker pulled off what was at that time the largest data breach in history when he successfully infiltrated a massive database of customer records at credit card-processing company Heartland Payment Systems. Heartland was just one victim of hacker Albert Gonzalez, who received two concurrent 20-year federal prison sentences for digital attacks that also targeted Dave & Buster's, 7-Eleven and OfficeMax.


  • #8. Equifax
    14/ Alex Wong // Getty Images

    #8. Equifax

    Year: 2017

    Records obtained: 143,000,000

    Organization type: Financial, credit reporting

    Data breach method: Poor security

    One of the things that made 2017's massive Equifax data breach so upsetting to its victims was that unlike Target or Uber, they never chose to give the company their information. As one of three major credit reporting agencies, Equifax compiles data on most Americans from a variety of sources, which makes it a particularly enticing target for data criminals. In 2017, thieves struck gold when they stole names, addresses, drivers license numbers, birthdays, Social Security numbers, and potentially even passport information for nearly 145 million people.  


  • #7. eBay
    15/ CoolCaesar // Wikimedia Commons

    #7. eBay

    Year: 2014

    Records obtained: 145,000,000

    Organization type: Web

    Data breach method: Hacked

    In order for hackers to gain access to the personal information of 145 million eBay customers, all they had to do was hack three corporate employees. The 2014 eBay hack was bad enough, but eBay made it worse by keeping the attack quiet, then later claiming it believed that no customer data had been compromised.


  • #6. Under Armour
    16/ Maryland GovPics // Wikimedia Commons

    #6. Under Armour

    Year: 2018

    Records obtained: 150,000,000

    Organization type: Consumer Goods

    Data breach method: Hacked

    The recent Under Armour hack stood out not only for its massive number of victims, but because the cybercriminals who pulled it off infiltrated the company through an app. The breach originated in Under Armour's MyFitnessPal app, which eventually yielded private information belonging to more than 150 million people. There was some good news, however: since Under Armour did a good job of segmenting its user data, the criminals only got away with email addresses, usernames, and passwords—not critical information like financial data or Social Security numbers.


  • #5. Adobe Systems
    17/ CoolCaesar // Wikimedia Commons

    #5. Adobe Systems

    Year: 2013

    Records obtained: 152,000,000

    Organization type: Tech

    Data breach method: Hacked

    When Adobe realized its system had been hacked in October 2013, the software company thought that as many as 2.9 million customers had been exposed. It turned out that more than 40 times that number had been compromised, with more than 152 million email addresses and passwords stolen and published online.


  • #4. Massive American business hack
    18/ Ken Teegardin // Flickr

    #4. Massive American business hack

    Year: 2012

    Records obtained: 160,000,000

    Organization type: Financial

    Data breach method: Hacked

    In what is known as the massive American business hack, five Russians and and one Ukrainian spent a seven years launching sophisticated digital attacks on companies like 7-Eleven and the Nasdaq stock exchange. The international crooks got away with 800,000 bank account numbers, and more than 160 million debit and credit card numbers.


  • #3. Friend Finder Networks
    19/ Wocintechchat // Wikimedia Commons

    #3. Friend Finder Networks

    Year: 2016

    Records obtained: 412,214,295

    Organization type: Web

    Data breach method: Poor security/hacked

    The FriendFinder Network includes sites like,,,, and When hackers breached the company's databases in 2016, they got away with two decades’ worth of information, totaling more than 412 million records. It was the largest breach of the entire year.  


  • #2. Yahoo
    20/ Eirik Refsdal // Wikimedia

    #2. Yahoo

    Year: 2014

    Records obtained: 500,000,000

    Organization type: Web

    Data breach method: Hacked

    It wasn't until 2016 that Yahoo confirmed hackers had stolen account information for a half billion of the online giant's customers. Telephone numbers, birthdays, encrypted passwords, and security questions and answers were all part of the haul. Yahoo took a full two years to go public with this fact, and only did so when an online criminal began selling the stolen data.


  • #1. Yahoo
    21/ Jazz Guy // Wikimedia Commons

    #1. Yahoo

    Year: 2013

    Records obtained: 3,000,000,000

    Organization type: Web

    Data breach method: Hacked

    If Yahoo users were worried that half a billion records were compromised in 2014, they'd likely be even less happy to know that the year before, all three billion of the company's accounts were attacked. That's about one hacked account for every 2.5 people on the planet. In 2016, Yahoo said the hack affected 1 billion accounts, then increased the already-apocalyptic number by threefold the following year.


2018 All rights reserved.